Use one the following four different methods to create a configuration item in the Configuration Manager console.

Method

Description

More information

Create a new configuration item

Use the Create Configuration Item Wizard to create the configuration item.

Use this method to create a configuration item when you want to configure all properties, or you have no existing configuration item from which you can create a duplicate or a child configuration item.

For more information about how to create a configuration item by using the wizard, see the steps and supplemental procedures in this topic.

Use this method to create a configuration item when you want a configuration item that continues to inherit the properties of an existing configuration item, but refines them with more detailed configuration.

Use this method to create configuration items when they have been defined outside the Configuration Manager hierarchy. For example, you created them in a test environment and now want to use them on the production network, or you want to import best practices from a Configuration Pack that vendors provided.

Create a duplicate configuration item from the Configuration Items node.

Use this method to create a configuration item when you want an exact copy of an existing configuration item to use as your starting point, but you want to modify it to create an independent configuration item from the original.

To create a duplicate of a configuration item, select a configuration item in the Configuration Items node and then, on the Home tab, in the Configuration Item group, click Copy.

Important

When you create a duplicate configuration baseline or configuration item, the duplicate does not retain a relationship to the original configuration data. Therefore, if the original configuration data is upgraded, any revisions are not passed to the duplicate configuration baseline or configuration item.

Warning

Do not configure configuration items with identical settings that evaluate different values and assign them to the same devices. When devices evaluate configuration items that have conflicting values, the order in which they are evaluated is nondeterministic.

Use the following steps and the supplemental procedures for when you want to create a new configuration item for Windows-based computers.

Compliance rules specify the conditions that define the compliance of a configuration item. Some settings let you remediate values that are found to be noncompliant. You can also create new rules by browsing to existing settings in any configuration item and creating rules against them.

On the General page of the Create Configuration Item Wizard, specify the following information:

Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters.

Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters.

In the Specify type of configuration item that you want to create list, select Windows.

If this configuration item is used to assess the compliance of an application, and you want to use a detection method to detect whether the application is present, select This configuration item contains application settings.

Use this procedure to provide detection method information for the configuration item.

Note

Applies only if you selected This configuration item contains application settings on the General page of the wizard.

A detection method in Configuration Manager contains rules that are used to detect whether an application is installed on a computer. This detection occurs before the configuration item is assessed for compliance. To detect whether an application is installed, you can detect the presence of a Windows Installer file for the application, use a custom script, or select Always assume application is installed to assess the configuration item for compliance regardless of whether the application is installed.

Use these procedures to configure detection methods in System Center 2012 Configuration Manager.

On the Settings page of the Create Configuration Item Wizard, click New.

On the General tab of the Create Setting dialog box, provide the following information:

Name: Enter a unique name for the setting. You can use a maximum of 256 characters.

Description: Enter a description for the setting. You can use a maximum of 256 characters.

Setting type: In the list, choose one of the following setting types to use for this setting:

Setting type

More information

Active Directory query

Configure the following for this setting type:

LDAP prefix - Specify a valid prefix to the Active Directory Domain Services query to assess compliance on client computers. You can use either LDAP:// for a or GC:// to perform a global catalog search..

Distinguished Name (DN) - Specify the distinguished name of the Active Directory Domain Services object that is assessed for compliance on client computers.

For example, if you want to evaluate a value related to a user named John Smith in the corp.contoso.com domain, enter the following:

One Level - This option is not used in this version of Configuration Manager.

Subtree - Queries the object that is specified and its complete subtree in the directory.

Property - Specify the property of the Active Directory Domain Services object that is used to assess compliance on client computers.

For example, if you want to query the Active Directory property badPwdCount, which stores the number of times a user incorrectly enters a password, enter badPwdCount in this field.

Query - Displays the query constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter (if specified), and Property, which are used to assess compliance on client computers.

For more information about constructing LDAP queries, see your Windows Server documentation.

Assembly

Configure the following for this setting type:

Assembly name: Specifies the name of the assembly object that you want to search for. The name cannot be the same as other assembly objects of the same type and must be registered in the Global Assembly Cache. The assembly name can be up to 256 characters long.

Note

An assembly is a piece of code that can be shared between applications. Assemblies can have the file name extension .dll or .exe. The Global Assembly Cache is a folder named %systemroot%\Assembly on client computers where all shared assemblies are stored.

File system

Configure the following for this setting type:

Type – In the list, select whether you want to search for a File or a Folder.

Path - Specify the path of the specified file or folder on client computers. You can specify system environment variables and the %USERPROFILE% environment variable in the path.

Note

If you use the %USERPROFILE% environment variable in the Path or File or folder name boxes, all user profiles on the client computer are searched, which could result in multiple instances of the file or folder that is found.

If compliance settings do not have access to the specified path, a discovery error is generated. Additionally, if the file you are searching for is currently in use, a discovery error is generated.

File or folder name - Specify the name of the file or folder object to search for. You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also use the wildcards * and ? in the file name.

Note

If you specify a file or folder name and use wildcards, this combination might produce a high numbers of results and could result in high resource use on the client computer and high network traffic when reporting results to Configuration Manager.

Include subfolders – Enable this option if you also want to search any subfolders under the specified path.

This file or folder is associated with a 64-bit application - If enabled, only 64-bit file locations (such as %ProgramFiles%) will be checked on 64-bit computers. If this option is not enabled, both 32-bit (such as %ProgramFiles(x86)%) and 64-bit locations will be checked.

Note

If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer, multiple files are discovered by the global condition.

The File system setting type does not support specifying a UNC path to a network share in the Path box.

Hive – In the list, select the registry hive that you want to search in.

Key - Specify the registry key name that you want to search for. Use the format key\subkey.

This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

Note

If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

Registry value

Configure the following for this setting type:

Hive - In the list, select the registry hive that you want to search in.

Key - Specify the registry key name that you want to search for. Use the format key\subkey.

Value – Specify the value that must be contained within the specified registry key.

This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows.

Note

If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.

You can also click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service.

Script

Configure the following for this setting type:

Discovery script – Click Add to enter, or browse to the script you want to use. You can use Windows PowerShell, VBScript, or Microsoft JScript scripts.

Run scripts by using the logged on user credentials – If you enable this option, the script runs on client computers that use the credentials of the logged-on users.

Note

The value returned by the script is used to assess the compliance of the global condition. For example, when using VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global condition.

SQL query

Configure the following for this setting type:

SQL Server instance – Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name.

Note

The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server instance, you should use a script setting.

Database - Specify the name of the Microsoft SQL Server database against which you want to run the SQL query.

Column - Specify the column name returned by the Transact-SQL statement that is used to assess the compliance of the global condition.

Transact-SQL statement – Specify the full SQL query you want to use for the global condition. You can also click Open to open an existing SQL query.

Important

SQL Query settings do not support any SQL commands that modify the database. You can only use SQL commands that read information from the database.

WQL query

Configure the following for this setting type:

Namespace - Specify the Windows Management Instrumentation (WMI) namespace which is used to build a WQL query that is assessed for compliance on client computers. The default value is Root\cimv2.

Class - Specifies the WMI class which is used to build a WQL query that is assessed for compliance on client computers.

Property - Specifies the WMI property which is used to build a WQL query that is assessed for compliance on client computers.

WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a WHERE clause to be applied to the specified namespace, class, and property on client computers.

XPath query

Configure the following for this setting type:

Path - Specify the path of the .xml file on client computers that is used to assess compliance. Configuration Manager supports the use of all Windows system environment variables and the %USERPROFILE% user variable in the path name.

XML file name - Specify the file name containing the XML query that is used to assess compliance on client computers.

Include subfolders - Enable this option if you also want to search any subfolders under the specified path.

This file is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\System32) should be searched in addition to the 32-bit system file location (%windir%\Syswow64) on Configuration Manager clients that are running a 64-bit version of Windows.

XPath query - Specify a valid full XML path language (XPath) query that is used to assess compliance on client computers.

Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes to be used during the XPath query.

Important

If you attempt to discover an encrypted .xml file, compliance settings find the file, but the XPath query produces no results, and no error is generated.

Note

If the XPath query is not valid, the setting is evaluated as noncompliant on client computers.

Data type: In the list, choose the format in which the condition returns the data before it is used to assess the setting. The Data type list is not displayed for all setting types.

Note

The Floating point data type supports only 3 digits after the decimal point.

Configure additional details about this setting under the Setting type list. The items you can configure vary depending on the setting type you have selected.

Note

When you create settings of the type File system, Registry key, and Registry value, you can click Browse to configure the setting from values on a reference computer. To browse to a registry key or value on a remote computer, the remote computer must have the Remote Registry service enabled.

Use the following procedure to configure compliance rules for the configuration item.

Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. WMI, registry, and script settings let you remediate values that are found to be noncompliant. You can create new rules or browse to an existing setting in any configuration item to select rules in it.

Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

For a rule type of Existential, specify the following information:

Note

The options shown might vary depending on the setting type you are configuring a rule for.

The setting must exist on client devices

The setting must not exist on client devices

The setting occurs the following number of times:

Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following:

None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports.

Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also logged as a Windows event in the application event log.

On the Supported Platforms page of the Create Configuration Item Wizard, specify one of the following options:

Select the versions of Windows that will assess this configuration item for compliance: In the list, select the Windows versions on which you want the configuration item to be assessed for compliance, or click Select all.

Specify the version of Windows manually: Click Edit to open the Specify Windows Version Manually dialog box, and then provide the full version number of the version of Windows on which you want the configuration item to be assessed for compliance.

Note

You can use the winver.exe command at a Windows command prompt to display the full Windows version.

Click OK to close the Specify Windows Version Manually dialog box.

Note

This option is not displayed if you have selected the This configuration item contains application settings check box on the General page of the Wizard.

On the Summary page of the Wizard, review the actions that will be taken, and then complete the wizard. The new configuration item is displayed in the Configuration Items node in the Assets and Compliance workspace.